Recently a dermatology practice learned that something so small could be very costly.
Adult & Pediatric Dermatology, P.C., of Concord, Mass., lost a thumb drive, which doesn’t seem like a huge deal except that specific thumb drive was unencrypted and contained the electronic protected health information of about 2,200 individuals.
The US Department of Health and Human Services Office for Civil Rights received a report that the thumb drive was stolen from an APDerm employee’s vehicle and never recovered. After conducting its investigation, OCR and APDerm agreed to a $150,000 penalty. APDerm received this HIPAA penalty because it not only lost the thumb drive but also because the dermatology practice didn’t identify it in a HIPAA risk analysis nor had it managed the risk so its patients’ data was protected.
Besides paying the $150,000, APDerm was given a corrective action plan that requires it develops a risk analysis and management plan that addresses and alleviates any security risks and vulnerabilities, and it must give OCR an implementation report once the plan is completed.
There are three ways this practice could have prevented this from happening:
- Don’t put your protected data onto a remote or portable device since those can be easily lost or stolen. Use a secure remote access tool if you need the information outside of your office.
- Encrypt all of your data to protect your patients and your practice. Use encryption for all devices, portable and stationary.
- Have a risk analysis done by a professional. It’s cheaper to hire a professional to do the analysis for you than to do it yourself and risk receiving a HIPAA penalty.
If you’re a healthcare provider, be sure to follow these steps. If not, you risk following in the footsteps of APDerm and costing your practice lots of money and time, as well as your reputation, from something as small as a thumb drive.